ES2881289T3 - Method to manage a trusted identity - Google Patents
Method to manage a trusted identity Download PDFInfo
- Publication number
- ES2881289T3 ES2881289T3 ES16815856T ES16815856T ES2881289T3 ES 2881289 T3 ES2881289 T3 ES 2881289T3 ES 16815856 T ES16815856 T ES 16815856T ES 16815856 T ES16815856 T ES 16815856T ES 2881289 T3 ES2881289 T3 ES 2881289T3
- Authority
- ES
- Spain
- Prior art keywords
- user
- key
- identity
- verifier
- issuer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/42—Anonymization, e.g. involving pseudonyms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
Un método para autenticar la identidad de confianza de un usuario (ID) mediante un dispositivo verificador, siendo dicha identidad de confianza de usuario emitida por un emisor que tiene una clave pública, en donde el usuario tiene un dispositivo de usuario que envía un mensaje al dispositivo verificador, dicho mensaje que comprende un identificador de transacción (T id) y una clave pública de usuario (Kpub) asignada al usuario, en donde el dispositivo verificador recupera una transacción de cadena de bloques (T) que comprende una firma del emisor en la identidad de confianza del usuario y la clave pública del usuario, una clave cifrada (e_K) y una identidad cifrada (e_ID) de una cadena de bloques usando el identificador de transacción y verifica la transacción, en donde la clave cifrada es generada por el usuario cifrando una clave secreta con una primera clave de cifrado que deriva, en caso de verificación exitosa, el dispositivo verificador envía un desafío (C) al dispositivo de usuario que calcula una respuesta firmando el desafío usando la clave privada del usuario y envía la respuesta al dispositivo verificador, el dispositivo verificador comprueba la firma del usuario usando el clave pública de usuario y en caso de comprobación exitosa de la firma del usuario: el dispositivo verificador envía la clave cifrada y una clave pública del verificador (V_Kpub) al dispositivo del usuario, el dispositivo del usuario deriva una clave de cifrado de claves (KEK) y recupera la clave secreta (K) descifrando la clave cifrada utilizando la clave de cifrado de claves, luego el dispositivo de usuario cifra la clave secreta utilizando la clave pública del verificador y envía la nueva clave cifrada resultante (V_e_K) al dispositivo verificador, el dispositivo verificador recupera la clave secreta descifrando la nueva clave cifrada utilizando una clave privada del verificador, luego el dispositivo verificador recupera la identidad de confianza del usuario descifrando la identidad cifrada utilizando la clave secreta, el dispositivo verificador verifica la firma del emisor utilizando tanto la identidad de confianza del usuario, la clave pública del usuario como la clave pública del emisor.A method of authenticating a user's trusted identity (ID) by means of a verifier device, said trusted user identity being issued by an issuer having a public key, wherein the user has a user device that sends a message to the verifying device, said message comprising a transaction identifier (T id) and a public user key (Kpub) assigned to the user, wherein the verifying device retrieves a block chain transaction (T) comprising a signature of the issuer in the trusted identity of the user and the public key of the user, an encryption key (e_K) and an encryption identity (e_ID) of a blockchain using the transaction identifier and verifies the transaction, where the encryption key is generated by the user encrypting a secret key with a first encryption key that derives, in case of successful verification, the verifying device sends a challenge (C) to the user device ary that calculates a response by signing the challenge using the user's private key and sends the response to the verifier device, the verifier device verifies the user's signature using the user's public key and in case of successful verification of the user's signature: the device verifier sends the encrypted key and a verifier public key (V_Kpub) to the user device, the user device derives a key encryption key (KEK) and retrieves the secret key (K) by decrypting the encrypted key using the encryption key then the user device encrypts the secret key using the verifier's public key and sends the resulting new encrypted key (V_e_K) to the verifier device, the verifier device retrieves the secret key by decrypting the new encrypted key using a verifier's private key , then the verifier device retrieves the trusted identity of the user by decrypting the identity encrypted using the secret key, the verifier device verifies the sender's signature using both the user's trusted identity, the user's public key, and the sender's public key.
Description
DESCRIPCIÓNDESCRIPTION
Método para gestionar una identidad de confianzaMethod to manage a trusted identity
(Campo de la invención)(Field of the invention)
La presente invención se refiere a métodos para gestionar una identidad de confianza para un usuario. Se relaciona en particular con métodos para desplegar la identidad de confianza del usuario y con métodos para autenticar la identidad de confianza del usuario.The present invention relates to methods of managing a trusted identity for a user. It relates in particular to methods for displaying the trusted identity of the user and to methods for authenticating the trusted identity of the user.
(Antecedentes de la invención)(Background of the invention)
Las identidades de confianza y emitidas centralmente se utilizan ampliamente para beneficios laborales, fiscales, hipotecarios, de atención médica o de seguridad social, por ejemplo. Una identidad de confianza es una identidad cuyo contenido se puede autenticar. Sin embargo, el robo de identidad y el fraude de identidad son problemas importantes. Cada año, los estafadores robaron miles de millones de dólares a millones de consumidores. Tal fraude es posible porque no existe una manera fácil de verificar al verdadero propietario de una identidad de confianza. En otras palabras, un ladrón puede utilizar una identidad de confianza robada, ya que solo se controla la validez, como tal, de la identidad de confianza.Trusted and centrally issued identities are widely used for employment, tax, mortgage, health care, or social security benefits, for example. A trusted identity is an identity whose content can be authenticated. However, identity theft and identity fraud are major problems. Every year, scammers stole billions of dollars from millions of consumers. Such fraud is possible because there is no easy way to verify the true owner of a trusted identity. In other words, a thief can use a stolen trusted identity, as only the validity, as such, of the trusted identity is checked.
El documento titulado Bitcoin: iguala Peer-to-Peer Electronic Cash System con fecha del 31 de octubre de 2008 de Satoshi Nakamoto describe el esquema de Bitcoin basado en el sistema de cadena de bloques.Satoshi Nakamoto's document titled Bitcoin: Equals Peer-to-Peer Electronic Cash System dated October 31, 2008 outlines the Bitcoin scheme based on the blockchain system.
Los capítulos 10, 12 y 13 del Manual de Criptografía Aplicada de A. Menezes, P. van Oorschot y S. Vanstone con fecha de 1996 describe cuestiones relacionadas con las técnicas de gestión de claves, la identificación y autenticación de entidades y los protocolos de establecimiento de claves.Chapters 10, 12 and 13 of the Manual of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone dated 1996 describe issues related to key management techniques, entity identification and authentication, and authentication protocols. establishment of keys.
El documento titulado A new Convergent Identity System based on EAP-TLS Smart cards de P. Urien et al describe un sistema de identidad que funciona con tarjetas inteligentes EAP-TLS.The document entitled A new Convergent Identity System based on EAP-TLS Smart cards by P. Urien et al describes an identity system that works with EAP-TLS smart cards.
Por lo tanto, existe la necesidad de desarrollar nuevos métodos y dispositivos que permitan evitar que varias personas reclamen una misma identidad de confianza.Therefore, there is a need to develop new methods and devices that prevent multiple people from claiming the same trusted identity.
(Compendio de la invención)(Compendium of the invention)
Un objeto de la invención es resolver el problema técnico mencionado anteriormente.An object of the invention is to solve the technical problem mentioned above.
Un objeto de la presente invención es un método para autenticar la identidad de confianza de un usuario mediante un dispositivo verificador como se define en la reivindicación 1. Se definen varias realizaciones en las reivindicaciones dependientes.An object of the present invention is a method for authenticating the trusted identity of a user by means of a verifying device as defined in claim 1. Various embodiments are defined in the dependent claims.
Otro objeto de la presente invención es un dispositivo verificador configurado para autenticar una identidad de confianza de usuario de un usuario emitida por un emisor que tiene una clave pública como se define en la reivindicación 4.Another object of the present invention is a verifying device configured to authenticate a trusted user identity of a user issued by an issuer having a public key as defined in claim 4.
(Breve descripción de los dibujos)(Brief description of the drawings)
Otras características y ventajas de la presente invención surgirán más claramente a partir de la lectura de la siguiente descripción de una serie de realizaciones preferidas de la invención con referencia a los dibujos adjuntos correspondientes en los que:Other features and advantages of the present invention will emerge more clearly from reading the following description of a series of preferred embodiments of the invention with reference to the corresponding accompanying drawings in which:
- La Figura 1 representa un diagrama de flujo que muestra un primer ejemplo de secuencia de emisión de identidad según la invención,- Figure 1 represents a flow chart showing a first example of identity emission sequence according to the invention,
- La Figura 2 representa un diagrama de flujo que muestra un ejemplo de secuencia de prueba de identidad según la invención,- Figure 2 represents a flow chart showing an example of an identity test sequence according to the invention,
- La Figura 3 representa un diagrama de flujo que muestra un segundo ejemplo de secuencia de emisión de identidad según la invención,- Figure 3 represents a flow chart showing a second example of identity emission sequence according to the invention,
- La Figura 4 muestra un ejemplo de un dispositivo emisor según la invención,- Figure 4 shows an example of an emitter device according to the invention,
- La Figura 5 muestra un ejemplo de un dispositivo de usuario según la invención, y- Figure 5 shows an example of a user device according to the invention, and
- La Figura 6 muestra un ejemplo de un dispositivo verificador según la invención.- Figure 6 shows an example of a verification device according to the invention.
(Descripción detallada de las realizaciones preferidas)(Detailed description of preferred embodiments)
La invención puede aplicarse a cualquier tipo de identidad digital emitida por una autoridad emisora (también llamada emisor) y destinada a asignarse a un usuario. The invention can be applied to any type of digital identity issued by an issuing authority (also called an issuing authority) and intended to be assigned to a user.
La invención se basa en un par de claves pública/privada y en funciones criptográficas como se usa comúnmente en el llamado dominio de criptografía de clave pública.The invention is based on a public / private key pair and cryptographic functions as commonly used in the so-called public key cryptography domain.
Se supone que el usuario tiene un dispositivo (llamado dispositivo de usuario) que se utiliza para el despliegue de identidad de confianza y para la verificación de identidad de confianza. El dispositivo de usuario puede ser un pasaporte, una licencia de conducir, un teléfono inteligente, una tableta, un par de anteojos electrónicos, un reloj electrónico, una pulsera electrónica, un dispositivo electrónico que se puede llevar puesto, una máquina de juego portátil o un ordenador, por ejemplo.The user is assumed to have a device (called a user device) that is used for trusted identity deployment and for trusted identity verification. The user device can be a passport, a driver's license, a smartphone, a tablet, a pair of electronic glasses, an electronic watch, an electronic bracelet, a wearable electronic device, a portable game machine, or a computer, for example.
El emisor de identidad es la entidad que emite la identidad de confianza, por ejemplo, licencia de conducir, número de seguridad social, pasaporte, ID de atención médica, etc. Por lo tanto, la identidad de confianza puede ser un documento de identidad emitido por un emisor y puede contener un identificador, información diversa o atributos de usuario. La identidad de confianza también puede ser uno o más atributos examinados asociados con un usuario. En este caso, el emisor responde por los atributos.The identity issuer is the entity that issues the trusted identity, for example, driver's license, social security number, passport, health care ID, etc. Therefore, the trusted identity can be an identity document issued by an issuer and can contain an identifier, various information or user attributes. The trusted identity can also be one or more examined attributes associated with a user. In this case, the issuer vouches for the attributes.
Se asume que el usuario solicita una identidad de confianza (o da fe de los atributos) y usa la identidad de confianza cuando sea necesario. El usuario puede ser una persona, una máquina o un dispositivo de Internet de las cosas (IoT).The user is assumed to request a trusted identity (or attest to the attributes) and uses the trusted identity when necessary. The user can be a person, a machine, or an Internet of Things (IoT) device.
El verificador es una entidad que necesita que el usuario demuestre la propiedad y la legitimidad de la identidad de confianza. Por ejemplo, un verificador puede ser un proveedor de servicios, por ejemplo, un banco, o un par del usuario, por ejemplo, otro dispositivo de IoT. Se supone que el usuario desea un servicio del proveedor de servicios, por ejemplo, solicitar una hipoteca. El proveedor de servicios desea una identidad de confianza del usuario y necesita saber que el usuario es realmente el propietario de la identidad de confianza. El usuario debe demostrarlo. Se supone que el verificador conoce y confía en el emisor.The verifier is an entity that requires the user to prove the ownership and legitimacy of the trusted identity. For example, a verifier can be a service provider, for example, a bank, or a user peer, for example, another IoT device. The user is supposed to want a service from the service provider, for example, apply for a mortgage. The service provider wants a trusted identity of the user and needs to know that the user actually owns the trusted identity. The user must prove it. The verifier is assumed to know and trust the issuer.
Una cadena de bloques (también llamada cadena de bloques) es un libro mayor distribuido que mantiene una lista en continuo crecimiento de registros de datos transaccionales que se supone que son resistentes a la manipulación y revisión. Generalmente, una cadena de bloques se basa en un servidor de marca de tiempo que, después de agrupar las transacciones recientes en bloques, toma un hash de un bloque para marcar el tiempo y publica ampliamente el hash. El hash permite probar que los datos deben haber existido en ese momento. El hash de cada bloque incluye el hash del bloque anterior. Por lo tanto, se crea una cadena de bloques donde cada bloque se vincula a su predecesor. Por lo tanto, una transacción registrada en un bloque se puede obtener de una cadena de bloques y es posible verificar que esta transacción registrada no se haya alterado. Una cadena de bloques puede considerarse un poseedor de registros indiscutible. Además, una cadena de bloques puede proporcionar protección de integridad y pseudoanonimato. Una de las aplicaciones más conocidas de la tecnología de la cadena de bloques es el libro mayor público de transacciones para la moneda criptográfica bitcoin, que tiene como objetivo almacenar transacciones financieras.A blockchain (also called a blockchain) is a distributed ledger that maintains an ever-growing list of transactional data records that are supposed to be resistant to tampering and review. Generally, a blockchain relies on a timestamp server which, after grouping recent transactions into blocks, takes a hash of a block to time stamp and publishes the hash widely. The hash allows you to prove that the data must have existed at that time. The hash of each block includes the hash of the previous block. Hence, a blockchain is created where each block is linked to its predecessor. Therefore, a transaction recorded in a block can be obtained from a chain of blocks and it is possible to verify that this recorded transaction has not been tampered with. A blockchain can be considered an undisputed record holder. Additionally, a blockchain can provide pseudo-anonymity and integrity protection. One of the best-known applications of blockchain technology is the public transaction ledger for the crypto currency bitcoin, which aims to store financial transactions.
En aras de la brevedad, en la presente memoria descriptiva, en ocasiones se utiliza la palabra "usuario" en lugar de "dispositivo de usuario". De manera similar, en ocasiones se utiliza "emisor" en lugar de "dispositivo emisor" y "verificador" en lugar de "dispositivo verificador".For the sake of brevity, the word "user" is sometimes used in the present specification instead of "user device". Similarly, "issuer" is sometimes used instead of "issuing device" and "verifier" is used instead of "verifying device."
La Figura 1 ilustra un primer ejemplo de secuencia para una emisión de identidad según la invención.Figure 1 illustrates a first example of a sequence for an identity emission according to the invention.
En este ejemplo, se supone que el emisor gestiona un dispositivo emisor que puede ser un servidor de identidad capaz de generar identidades de confianza y el usuario es una persona que se supone gestiona un dispositivo de usuario que puede ser un ordenador portátil.In this example, it is assumed that the sender manages a sending device that can be an identity server capable of generating trusted identities and the user is a person that is supposed to manage a user device that can be a laptop.
El dispositivo de usuario puede ser capaz de comunicarse con el servidor de identidad (dispositivo emisor) a través de cualquier tipo de red. Por ejemplo, la comunicación puede establecerse a través de una combinación de un canal inalámbrico (como Wi-Fi® o Bluetooth®) y un canal cableado (como Ethernet).The user device may be able to communicate with the identity server (sending device) over any type of network. For example, communication can be established through a combination of a wireless channel (such as Wi-Fi® or Bluetooth®) and a wired channel (such as Ethernet).
Primero, el usuario (o dispositivo de usuario) solicita al emisor de identidad (o dispositivo emisor) una ID de identidad de confianza. El usuario proporciona los documentos necesarios (por ejemplo, certificado de nacimiento y, opcionalmente, datos biométricos) que prueban su identidad.First, the user (or user device) requests the identity issuer (or issuing device) for a trusted identity ID. The user provides the necessary documents (for example, birth certificate and, optionally, biometric data) that prove their identity.
Luego, el emisor verifica los documentos. Si todo está bien, el emisor crea una nueva ID de identidad de confianza y se la envía al usuario para que la guarde.Then the issuer verifies the documents. If all is well, the issuer creates a new Trusted Identity ID and sends it to the user to save.
Según la invención, el usuario elige tener un registro público (es decir, un registro en un libro mayor público): el usuario envía una solicitud de firma al emisor. Esta solicitud contiene la clave pública Kpu del usuario.According to the invention, the user chooses to have a public record (that is, a record in a public ledger): the user sends a signature request to the issuer. This request contains the user's Kpu public key.
Luego, el emisor firma digitalmente la identidad de confianza y la clave pública de usuario (ID | Kpu) y le da la firma resultante (es decir, la firma del emisor) al usuario.The issuer then digitally signs the trusted identity and user public key (ID | Kpu) and gives the resulting signature (that is, the issuer's signature) to the user.
El usuario utiliza una clave secreta K para cifrar la ID de identidad de confianza, para generar una identidad de confianza cifrada (e_ID). Luego, el usuario obtiene una clave de cifrado de clave (es decir, KEK). Deriva una clave (o par de claves) KEK a partir de un par de claves pública/privada. El parámetro de derivación se puede manejar de una serie de formas. Luego, el usuario cifra la clave secreta K utilizando la clave de cifrado de clave KEK (clave pública si es un par de claves), resultando la clave cifrada e_K. En esta etapa, el usuario crea una transacción de cadena de bloques T que contiene un blob que incluye la firma del emisor, la identidad de confianza cifrada e_ID y la clave secreta cifrada e_K.The user uses a secret key K to encrypt the trusted identity ID, to generate an encrypted trusted identity (e_ID). The user then gets a key encryption key (i.e. KEK). Derive a key (or key pair) KEK from a public / private key pair. The derivation parameter can be handled in a number of ways. The user then encrypts the secret key K using the key encryption key KEK (public key if it is a key pair), resulting in the encrypted key e_K. At this stage, the user creates a blockchain transaction T that contains a blob that includes the issuer's signature, the encrypted trusted identity e_ID, and the encrypted secret key e_K.
En ambos casos, el usuario envía la transacción a una cadena de bloques. Una vez que se verifica la transacción T (por la entidad que gestiona la cadena de bloques), la transacción T se registra en la cadena de bloques.In both cases, the user submits the transaction to a blockchain. Once transaction T is verified (by the entity managing the blockchain), transaction T is recorded on the blockchain.
En una realización, la invención puede implementarse utilizando el formato de transacción de Bitcoin si la cadena de bloques es una cadena de bloques de Bitcoin. En este caso, se crean múltiples direcciones de salida del blob de datos. Otra dirección de salida puede ser la dirección del usuario. También se pueden definir nuevos formatos de transacción para facilitar el registro de activos digitales.In one embodiment, the invention can be implemented using the Bitcoin transaction format if the blockchain is a Bitcoin blockchain. In this case, multiple data blob output addresses are created. Another output address can be the user's address. New transaction formats can also be defined to facilitate the registration of digital assets.
La Figura 2 ilustra un ejemplo de secuencia de prueba de identidad según la invención.Figure 2 illustrates an example identity test sequence according to the invention.
En este ejemplo, se supone que se ha creado y registrado una transacción de cadena de bloques según la invención.In this example, it is assumed that a blockchain transaction has been created and recorded according to the invention.
Se supone que el verificador gestiona un dispositivo verificador que es capaz de acceder a la cadena de bloques e interactuar con el dispositivo de usuario. El dispositivo de verificación puede ser un servidor conectado a Internet, por ejemplo.The verifier is supposed to manage a verifier device that is capable of accessing the blockchain and interacting with the user device. The verification device can be a server connected to the Internet, for example.
En este ejemplo, el usuario desea utilizar algún servicio proporcionado por el verificador o desea interactuar con el verificador en general. El verificador necesita la ID de identidad del usuario. Quiere verificar que la ID de identidad de confianza sea emitida verdaderamente por una autoridad emisora y quiere que el usuario demuestre que la ID de identidad de confianza se le ha emitido verdaderamente.In this example, the user wants to use some service provided by the verifier or wants to interact with the verifier in general. The verifier needs the identity ID of the user. You want to verify that the trusted identity ID is truly issued by a issuing authority, and you want the user to prove that the trusted identity ID has truly been issued to them.
Primero, el usuario (o dispositivo de usuario) le dice al verificador su ID de identificador de transacción de cadena de bloques (o un identificador que puede identificar la transacción o registro del usuario) y una referencia que permite identificar al emisor de la ID de identidad de confianza. Además, el usuario también puede proporcionar al verificador su clave pública Kpu.First, the user (or user device) tells the verifier their blockchain transaction identifier ID (or an identifier that can identify the user's transaction or record) and a reference that identifies the issuer of the transaction ID. trusted identity. In addition, the user can also provide the verifier with his Kpu public key.
Usando la ID de identificador de transacción, el verificador encuentra la transacción T de la cadena de bloques y verifica la transacción T. En otras palabras, el verificador comprueba la autenticidad e integridad de la transacción registrada. Si la transacción T se comprueba con éxito, el verificador continúa de la siguiente manera.Using the transaction identifier ID, the verifier finds transaction T in the blockchain and verifies transaction T. In other words, the verifier checks the authenticity and integrity of the recorded transaction. If transaction T is verified successfully, the verifier continues as follows.
El verificador verifica al usuario, de hecho el propietario de esta transacción, enviando un desafío C. En respuesta, el usuario firma el desafío C usando su clave privada Kpr y envía el resultado de vuelta al verificador. El verificador verifica la firma del usuario recibida. En caso de una verificación exitosa, el verificador continúa de la siguiente manera.The verifier verifies the user, in fact the owner of this transaction, by sending a challenge C. In response, the user signs challenge C using his private key Kpr and sends the result back to the verifier. The verifier verifies the received user's signature. In case of a successful verification, the verifier continues as follows.
Si los datos están cifrados, el verificador envía la clave cifrada e_K (que se encuentra en la transacción) y su propia clave pública V_Kpub al usuario.If the data is encrypted, the verifier sends the encrypted key e_K (found in the transaction) and its own public key V_Kpub to the user.
Luego, el usuario vuelve a cifrar la clave secreta K con la clave pública del verificador V_Kpub, lo que da como resultado una nueva clave cifrada V_e_K y la envía al verificador. Por ejemplo, el usuario descifra la clave cifrada e_K usando la clave KEK y recupera el secreto K, y luego vuelve a cifrar la clave secreta K con la clave pública del verificador V_Kpub. En este caso, el usuario puede eliminar luego la clave secreta K.The user then re-encrypts the secret key K with the verifier's public key V_Kpub, resulting in a new encrypted key V_e_K and sends it to the verifier. For example, the user decrypts the encrypted key e_K using the key KEK and retrieves the secret K, and then re-encrypts the secret key K with the verifier public key V_Kpub. In this case, the user can then delete the secret key K.
Luego, el verificador descifra la nueva clave cifrada V_e_K con su clave privada y recupera la clave secreta. El verificador ahora puede descifrar la identidad cifrada e_ID utilizando la clave secreta K y recupera la ID de identidad de confianza.Then the verifier decrypts the new encrypted key V_e_K with your private key and retrieves the secret key. The verifier can now decrypt the encrypted identity e_ID using the secret key K and retrieve the trusted identity ID.
El verificador verifica la firma del Emisor utilizando la ID del usuario, la clave pública Kpu del usuario y la clave pública del emisor. Si la verificación tiene éxito, el verificador puede proporcionar servicio al usuario.The verifier verifies the Issuer's signature using the user's ID, the user's Kpu public key, and the issuer's public key. If the verification is successful, the verifier can provide service to the user.
Al final, el verificador ha verificado que el emisor verdaderamente ha emitido la ID de identidad de confianza al usuario que tiene la clave privada correspondiente a la clave pública del usuario.In the end, the verifier has verified that the issuer has indeed issued the trusted identity ID to the user who has the private key corresponding to the user's public key.
Gracias a la invención, el verificador puede comprobar la identidad de confianza del usuario sin contactar con el emisor original.Thanks to the invention, the verifier can verify the trusted identity of the user without contacting the original issuer.
Alternativamente, el usuario puede conservar la ID de identidad de confianza en lugar de ponerla en la transacción de la cadena de bloques. En este caso, el usuario presenta la ID de identidad de confianza al verificador y el verificador comprueba el registro de la cadena de bloques para verificar que la ID de identidad de confianza pertenece al usuario. Alternatively, the user can keep the trusted identity ID instead of putting it in the blockchain transaction. In this case, the user presents the trusted identity ID to the verifier and the verifier checks the blockchain record to verify that the trusted identity ID belongs to the user.
En un ejemplo, el par de claves del usuario es el mismo que el par de claves asociado con la dirección de la cadena de bloques.In one example, the user's key pair is the same as the key pair associated with the blockchain address.
En otro ejemplo, el par de claves del usuario es diferente del asociado con la dirección de la cadena de bloques. La Figura 3 ilustra un segundo ejemplo de secuencia para una emisión de identidad según la invención.In another example, the user's key pair is different from the one associated with the blockchain address. Figure 3 illustrates a second example sequence for an identity emission according to the invention.
Los primeros pasos son similares a los descritos en la Figura 1.The first steps are similar to those described in Figure 1.
El usuario elige tener un registro público: el dispositivo del usuario envía una solicitud de firma al dispositivo emisor. Esta solicitud contiene tanto la clave pública (Kpu4Id) del usuario como una dirección de cadena de bloques.The user chooses to have a public record: the user's device sends a signature request to the issuing device. This request contains both the user's public key (Kpu4Id) and a blockchain address.
Luego, el emisor firma digitalmente la identidad de confianza de la pareja y la clave pública de usuario recibida (ID | Kpu4Id) para generar una firma del emisor.The issuer then digitally signs the partner's trusted identity and received user public key (ID | Kpu4Id) to generate a signature from the issuer.
El dispositivo emisor genera una identidad cifrada e_ID cifrando la ID de identidad de confianza con una clave secreta K generada en el dispositivo emisor. El dispositivo emisor también genera una clave cifrada e_K cifrando la clave secreta K utilizando la clave pública de usuario recibida (Kpu4Id).The sending device generates an encrypted identity e_ID by encrypting the trusted identity ID with a secret key K generated in the sending device. The sending device also generates an encrypted key e_K by encrypting the secret key K using the received user public key (Kpu4Id).
Luego, el dispositivo emisor crea una transacción de cadena de bloques T que contiene un activo digital que incluye la firma del emisor generada, la identidad cifrada e_ID y la clave cifrada e_K. El dispositivo emisor envía la transacción de la cadena de bloques T a la Cadena de Bloques para la verificación y el almacenamiento de la transacción en la dirección de la cadena de bloques proporcionada por el usuario.The issuing device then creates a blockchain transaction T containing a digital asset that includes the generated issuer's signature, the encrypted identity e_ID, and the encrypted key e_K. The sending device sends the blockchain transaction T to the Blockchain for verification and storage of the transaction at the blockchain address provided by the user.
En lugar de cifrar completamente la ID de identidad de confianza, la ID de identidad de confianza también puede estar parcialmente cifrada. Por ejemplo, el identificador puede estar claro mientras que los atributos están cifrados. En otra realización (no mostrada), el emisor de la ID le da un documento de identidad (digital) al usuario, calcula un hash criptográfico de la ID de identidad de confianza y transfiere el hash calculado de la ID al usuario a través de la cadena de bloques como un activo digital.Instead of fully encrypting the trusted identity ID, the trusted identity ID can also be partially encrypted. For example, the identifier can be clear while the attributes are encrypted. In another embodiment (not shown), the issuer of the ID gives a (digital) identity document to the user, computes a cryptographic hash of the trusted identity ID, and passes the computed hash of the ID to the user through the blockchain as a digital asset.
Por ejemplo, al recibir la solicitud que comprende tanto la clave pública del usuario como una dirección de cadena de bloques, el dispositivo emisor calcula un hash de la ID de identidad de confianza. El dispositivo emisor envía la ID de identidad de confianza al dispositivo del usuario y crea una transacción de cadena de bloques T que contiene el hash. Luego, el dispositivo emisor envía esta transacción de cadena de bloques T a la cadena de bloques para la verificación y almacenamiento de la transacción en la dirección de la cadena de bloques del usuario. Luego, el dispositivo de usuario puede recibir la transacción de la cadena de bloques T de la cadena de bloques.For example, upon receiving the request that comprises both the user's public key and a blockchain address, the sending device computes a hash of the trusted identity ID. The sending device sends the trusted identity ID to the user device and creates a blockchain transaction T that contains the hash. The sending device then sends this blockchain transaction T to the blockchain for verification and storage of the transaction at the user's blockchain address. Then the user device can receive the transaction from the blockchain T from the blockchain.
La cadena de bloques en esta invención puede ser una cadena de bloques pública utilizada para más de un propósito, o una cadena de bloques privada que sirve a la identidad y propósitos asociados. Cabe señalar que uno o más emisores de identidad pueden utilizar la misma cadena de bloques.The blockchain in this invention can be a public blockchain used for more than one purpose, or a private blockchain that serves the identity and associated purposes. It should be noted that one or more identity issuers can use the same blockchain.
La Figura 4 ilustra esquemáticamente un ejemplo de un dispositivo emisor según la invención.Figure 4 schematically illustrates an example of an emitter device according to the invention.
El dispositivo emisor puede ser un servidor que comprende un agente generador configurado para generar una identidad de confianza para un usuario. El dispositivo emisor comprende un agente de firma configurado para recibir una solicitud de firma que comprende tanto una dirección de cadena de bloques como una clave pública asignada al usuario. El agente de firma está configurado para calcular una firma de emisor firmando tanto la identidad de confianza del usuario como la clave pública del usuario utilizando una clave privada de emisor asignada al emisor. El dispositivo emisor comprende un agente hash configurado para calcular un hash de la identidad de confianza. Por ejemplo, el agente hash puede implementar los algoritmos SHA-2 (Algoritmos Hash Seguros definidos por la Agencia de Seguridad Nacional). El dispositivo emisor comprende un agente de transacciones configurado para crear una transacción de cadena de bloques T que contiene un activo digital que incluye la firma del emisor y el hash. El agente de transacciones está configurado para enviar esta transacción de la cadena de bloques a una Cadena de Bloques para la verificación y el almacenamiento de la transacción en la dirección de la cadena de bloques del usuario.The sending device can be a server comprising a generating agent configured to generate a trusted identity for a user. The issuing device comprises a signature agent configured to receive a signature request that comprises both a blockchain address and a public key assigned to the user. The signing agent is configured to calculate an issuer signature by signing both the user's trusted identity and the user's public key using an issuer private key assigned to the issuer. The sending device comprises a hash agent configured to calculate a hash of the trusted identity. For example, the hash agent can implement the SHA-2 algorithms (Secure Hash Algorithms defined by the National Security Agency). The issuing device comprises a transaction agent configured to create a blockchain transaction T containing a digital asset that includes the issuer's signature and hash. The transaction agent is configured to send this blockchain transaction to a Blockchain for verification and storage of the transaction at the user's blockchain address.
En otro ejemplo (no mostrado), el dispositivo emisor puede comprender un agente generador y un agente de firma como se describió anteriormente. Además, el dispositivo emisor puede comprender un generador de claves adaptado para generar una clave secreta y un agente de cifrado configurado para generar una identidad cifrada cifrando la identidad de confianza con la clave secreta generada. El dispositivo emisor comprende un agente de transacciones configurado para crear una transacción de cadena de bloques que contiene un activo digital que incluye la firma del emisor, la identidad cifrada y la clave cifrada. El agente de transacciones también está configurado para enviar la transacción de la cadena de bloques a una Cadena de Bloques para la verificación y el almacenamiento de la transacción en la dirección de la cadena de bloques.In another example (not shown), the issuing device may comprise a generating agent and a signing agent as described above. Furthermore, the sending device may comprise a key generator adapted to generate a secret key and an encryption agent configured to generate an encrypted identity by encrypting the trusted identity with the generated secret key. The issuing device comprises a transaction agent configured to create a blockchain transaction containing a digital asset that includes the issuer's signature, encrypted identity, and encrypted key. The transaction agent is also configured to send the transaction from the blockchain to a Blockchain for verification and storage of the transaction at the address of the blockchain.
La Figura 5 ilustra esquemáticamente un ejemplo de un dispositivo de usuario según la invención. Figure 5 schematically illustrates an example of a user device according to the invention.
El dispositivo de usuario puede ser un teléfono inteligente que comprende un agente de solicitud configurado para generar una solicitud de firma que comprende la clave pública del usuario del dispositivo de usuario y enviar la solicitud a un dispositivo emisor. El dispositivo de usuario comprende un agente de transacciones configurado para recibir, en respuesta a la solicitud, una firma del emisor generada al firmar tanto la identidad de confianza del usuario como la clave pública del usuario utilizando una clave privada asignada al emisor. El agente de transacciones también está configurado para crear una transacción de cadena de bloques que contiene la firma del emisor y enviar esta transacción de cadena de bloques a una Cadena de Bloques para su verificación y almacenamiento.The user device can be a smartphone comprising a request agent configured to generate a signature request comprising the public key of the user of the user device and send the request to an issuing device. The user device comprises a transaction agent configured to receive, in response to the request, an issuer signature generated by signing both the user's trusted identity and the user's public key using a private key assigned to the issuer. The transaction agent is also configured to create a blockchain transaction containing the issuer's signature and submit this blockchain transaction to a Blockchain for verification and storage.
En otro ejemplo (no mostrado), el dispositivo de usuario puede comprender un agente de solicitud similar al descrito anteriormente y un agente de cifrado configurado para generar una clave secreta y generar una identidad cifrada cifrando la identidad de confianza del usuario recibida con la clave secreta generada. . El agente de cifrado también está configurado para generar una clave cifrada e_K cifrando la clave secreta K utilizando una clave de cifrado de claves. El agente de cifrado está configurado para identificar la clave de cifrado que se utilizará. Por ejemplo, puede derivar la KEK a partir de una clave secreta, que guarda.In another example (not shown), the user device may comprise a request agent similar to the one described above and an encryption agent configured to generate a secret key and generate an encrypted identity by encrypting the trusted identity of the user received with the secret key. generated. . The encryption agent is also configured to generate an encrypted key e_K by encrypting the secret key K using a key encryption key. The encryption agent is configured to identify the encryption key to use. For example, you can derive the KEK from a secret key, which you save.
Preferiblemente, el dispositivo de usuario puede comprender un agente remitente (no mostrado) configurado para enviar un mensaje a un dispositivo verificador, comprendiendo el mensaje una ID de identificador de transacción y una clave pública de usuario Kpu asignada al usuario. El dispositivo de usuario también puede comprender un agente criptográfico configurado para calcular una respuesta firmando un desafío C recibido de un dispositivo verificador usando la clave privada del usuario Kpr y para enviar la respuesta al dispositivo verificador.Preferably, the user device may comprise a sending agent (not shown) configured to send a message to a verifying device, the message comprising a transaction identifier ID and a user public key Kpu assigned to the user. The user device may also comprise a cryptographic agent configured to calculate a response by signing a challenge C received from a verifying device using the user's private key Kpr and to send the response to the verifying device.
La Figura 6 ilustra esquemáticamente un ejemplo de un dispositivo verificador según la invención.Figure 6 schematically illustrates an example of a verification device according to the invention.
El dispositivo verificador puede ser un servidor que comprende un agente de acceso de cadena de bloques configurado para recibir de un dispositivo de usuario un mensaje que comprende una ID de identificación de transacción y una clave pública de usuario Kpu asignada al usuario del dispositivo de usuario, y para recuperar una transacción de cadena de bloques (que comprende una firma del emisor) de una cadena de bloques utilizando la ID de identificador de transacción.The verifying device may be a server comprising a blockchain access agent configured to receive from a user device a message comprising a transaction identification ID and a user public key Kpu assigned to the user of the user device, and to retrieve a blockchain transaction (comprising an issuer signature) from a blockchain using the transaction identifier ID.
El dispositivo verificador comprende un agente verificador de transacciones configurado para verificar (autenticidad/integridad) la transacción de la cadena de bloques recuperada.The verifying device comprises a transaction verifying agent configured to verify (authenticity / integrity) the recovered blockchain transaction.
El dispositivo verificador comprende un agente Administrador configurado para, en caso de verificación exitosa de la transacción, enviar un desafío C al dispositivo de usuario y obtener una respuesta calculada por el dispositivo de usuario.The verifying device comprises an Administrator agent configured to, in case of successful verification of the transaction, send a challenge C to the user device and obtain a response calculated by the user device.
El dispositivo verificador comprende un agente de Comprobación configurado para comprobar la respuesta utilizando la clave pública del usuario (Kpu).The verifying device comprises a Verifying agent configured to verify the response using the user's public key (Kpu).
El dispositivo verificador comprende un agente verificador de firmas configurado para, en caso de comprobación de respuesta exitosa, verificar la firma del emisor utilizando la identidad de confianza del usuario, la clave pública del usuario y la clave pública del emisor.The verifying device comprises a signature verifying agent configured to, in case of successful response verification, verifying the issuer's signature using the user's trusted identity, the user's public key and the issuer's public key.
Alternativamente, el dispositivo verificador puede configurarse para recuperar un hash de una transacción de cadena de bloques y para verificar si este hash es compatible con la identidad de confianza.Alternatively, the verifying device can be configured to retrieve a hash of a blockchain transaction and to verify if this hash is compatible with the trusted identity.
Opcionalmente, el dispositivo verificador puede configurarse para recibir la identidad de confianza directamente desde el dispositivo de usuario.Optionally, the verifying device can be configured to receive the trusted identity directly from the user device.
Los agentes del dispositivo emisor, dispositivo de usuario y dispositivo verificador pueden implementarse como componentes de software. Preferiblemente, algunas características criptográficas pueden realizarse mediante componentes de hardware.The sender device, user device, and verifier device agents can be implemented as software components. Preferably, some cryptographic features can be realized by hardware components.
Gracias a la invención, solo el propietario del fideicomiso puede demostrar la propiedad de la identidad de confianza. Un robo no puede demostrar la propiedad porque no tiene la clave privada.Thanks to the invention, only the owner of the trust can prove ownership of the trusted identity. A robbery cannot prove ownership because it does not have the private key.
El verificador puede verificar el propietario y la fiabilidad de una identidad o atributos de confianza.The verifier can verify the owner and trustworthiness of an identity or trusted attributes.
Debe entenderse, dentro del alcance de la invención, que las realizaciones descritas anteriormente se proporcionan como ejemplos no limitativos. Las características de los ejemplos descritos pueden combinarse total y parcialmente. It should be understood, within the scope of the invention, that the embodiments described above are provided as non-limiting examples. The characteristics of the examples described can be totally and partially combined.
Claims (4)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US14/978,568 US10079682B2 (en) | 2015-12-22 | 2015-12-22 | Method for managing a trusted identity |
| PCT/EP2016/081911 WO2017108783A1 (en) | 2015-12-22 | 2016-12-20 | Method for managing a trusted identity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| ES2881289T3 true ES2881289T3 (en) | 2021-11-29 |
Family
ID=57589049
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| ES16815856T Active ES2881289T3 (en) | 2015-12-22 | 2016-12-20 | Method to manage a trusted identity |
Country Status (7)
| Country | Link |
|---|---|
| US (2) | US10079682B2 (en) |
| EP (1) | EP3395006B1 (en) |
| JP (2) | JP2019506103A (en) |
| ES (1) | ES2881289T3 (en) |
| HK (1) | HK1255142A1 (en) |
| SG (1) | SG11201804361YA (en) |
| WO (1) | WO2017108783A1 (en) |
Families Citing this family (129)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11277412B2 (en) | 2018-05-28 | 2022-03-15 | Royal Bank Of Canada | System and method for storing and distributing consumer information |
| CA2984888A1 (en) * | 2015-05-05 | 2016-11-10 | ShoCard, Inc. | Identity management service using a block chain |
| US20170195336A1 (en) * | 2016-01-05 | 2017-07-06 | Sensormatic Electronics, LLC | Method and System for Non-Authoritative Identity and Identity Permissions Broker and Use Thereof |
| WO2017152150A1 (en) | 2016-03-04 | 2017-09-08 | ShoCard, Inc. | Method and system for authenticated login using static or dynamic codes |
| US10007826B2 (en) | 2016-03-07 | 2018-06-26 | ShoCard, Inc. | Transferring data files using a series of visual codes |
| US10509932B2 (en) | 2016-03-07 | 2019-12-17 | ShoCard, Inc. | Large data transfer using visual codes with feedback confirmation |
| US10366388B2 (en) * | 2016-04-13 | 2019-07-30 | Tyco Fire & Security Gmbh | Method and apparatus for information management |
| KR101780636B1 (en) * | 2016-05-16 | 2017-09-21 | 주식회사 코인플러그 | Method for issuing certificate information and blockchain-based server using the same |
| KR101799343B1 (en) * | 2016-05-16 | 2017-11-22 | 주식회사 코인플러그 | Method for using, revoking certificate information and blockchain-based server using the same |
| US10341309B1 (en) * | 2016-06-13 | 2019-07-02 | Allstate Insurance Company | Cryptographically protecting data transferred between spatially distributed computing devices using an intermediary database |
| WO2017218983A1 (en) * | 2016-06-16 | 2017-12-21 | The Bank Of New York Mellon | Distributed, centrally authored block chain network |
| US10454683B2 (en) * | 2016-06-17 | 2019-10-22 | Capital One Services, Llc | Blockchain systems and methods for user authentication |
| US11336432B2 (en) | 2016-07-29 | 2022-05-17 | Workday, Inc. | System and method for blockchain-based device authentication based on a cryptographic challenge |
| US10735197B2 (en) | 2016-07-29 | 2020-08-04 | Workday, Inc. | Blockchain-based secure credential and token management across multiple devices |
| US10637665B1 (en) | 2016-07-29 | 2020-04-28 | Workday, Inc. | Blockchain-based digital identity management (DIM) system |
| US10715312B2 (en) * | 2016-07-29 | 2020-07-14 | Workday, Inc. | System and method for blockchain-based device authentication based on a cryptographic challenge |
| US10715311B2 (en) * | 2017-07-28 | 2020-07-14 | Workday, Inc. | System and method for blockchain-based user authentication based on a cryptographic challenge |
| US11088855B2 (en) | 2016-07-29 | 2021-08-10 | Workday, Inc. | System and method for verifying an identity of a user using a cryptographic challenge based on a cryptographic operation |
| US10700861B2 (en) * | 2016-07-29 | 2020-06-30 | Workday, Inc. | System and method for generating a recovery key and managing credentials using a smart blockchain contract |
| US10735182B2 (en) | 2016-08-10 | 2020-08-04 | Peer Ledger Inc. | Apparatus, system, and methods for a blockchain identity translator |
| US10475272B2 (en) | 2016-09-09 | 2019-11-12 | Tyco Integrated Security, LLC | Architecture for access management |
| US11769146B1 (en) * | 2016-09-30 | 2023-09-26 | Hrb Innovations, Inc. | Blockchain transactional identity verification |
| US10747744B2 (en) | 2016-10-10 | 2020-08-18 | AlphaPoint | Distributed ledger comprising snapshots |
| EP3340149A1 (en) * | 2016-12-22 | 2018-06-27 | Mastercard International Incorporated | Methods and systems for validating an interaction |
| CA3052415C (en) * | 2017-02-01 | 2021-07-06 | Equifax, Inc. | Verifying an identity based on multiple distributed data sources using a blockchain to safeguard the identity |
| US9992022B1 (en) | 2017-02-06 | 2018-06-05 | Northern Trust Corporation | Systems and methods for digital identity management and permission controls within distributed network nodes |
| US10498541B2 (en) | 2017-02-06 | 2019-12-03 | ShocCard, Inc. | Electronic identification verification methods and systems |
| USRE49968E1 (en) | 2017-02-06 | 2024-05-14 | Ping Identity Corporation | Electronic identification verification methods and systems with storage of certification records to a side chain |
| WO2018170341A1 (en) | 2017-03-15 | 2018-09-20 | NuID, Inc. | Methods and systems for universal storage and access to user-owned credentials for trans-institutional digital authentication |
| US11538031B2 (en) | 2017-03-31 | 2022-12-27 | Vijay Madisetti | Method and system for identity and access management for blockchain interoperability |
| US10832230B2 (en) * | 2017-04-04 | 2020-11-10 | International Business Machines Corporation | Scalable and distributed shared ledger transaction management |
| DE102017211201A1 (en) * | 2017-06-30 | 2019-01-03 | Siemens Aktiengesellschaft | Method for asymmetric key management and security-relevant installation |
| GB201711867D0 (en) * | 2017-07-24 | 2017-09-06 | Nchain Holdings Ltd | Computer-implemented system and method |
| JP7203828B2 (en) | 2017-08-29 | 2023-01-13 | エヌチェーン ライセンシング アーゲー | Constraints on the Output of Unlock Transactions in Blockchain |
| CN107579817A (en) * | 2017-09-12 | 2018-01-12 | 广州广电运通金融电子股份有限公司 | User ID authentication method, apparatus and system based on block chain |
| WO2019074568A1 (en) * | 2017-10-13 | 2019-04-18 | Visa International Service Association | Mitigating risk for hands-free interactions |
| WO2019098895A1 (en) * | 2017-11-17 | 2019-05-23 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and arrangement for detecting digital content tampering |
| WO2019096326A1 (en) * | 2017-11-20 | 2019-05-23 | Obook Holdings Inc. | Blockchain-based room inventory management system |
| CN107888382B (en) * | 2017-11-24 | 2019-11-19 | 中钞信用卡产业发展有限公司杭州区块链技术研究院 | A kind of methods, devices and systems of the digital identity verifying based on block chain |
| CN109840766B (en) * | 2017-11-27 | 2024-03-29 | 华为终端有限公司 | Equipment control method and related equipment thereof |
| WO2019113552A1 (en) | 2017-12-08 | 2019-06-13 | ShoCard, Inc. | Methods and systems for recovering data using dynamic passwords |
| WO2019118447A1 (en) * | 2017-12-11 | 2019-06-20 | Celo Labs Inc. | Decentralized database associating public keys and communications addresses |
| JP7067043B2 (en) * | 2017-12-13 | 2022-05-16 | 富士通株式会社 | Electronic trading equipment, electronic trading methods and programs |
| US9990504B1 (en) | 2017-12-18 | 2018-06-05 | Northern Trust Corporation | Systems and methods for generating and maintaining immutable digital meeting records within distributed network nodes |
| CN108305072B (en) * | 2018-01-04 | 2021-02-26 | 上海点融信息科技有限责任公司 | Method, apparatus, and computer storage medium for deploying a blockchain network |
| US11552795B2 (en) | 2018-01-22 | 2023-01-10 | Microsoft Technology Licensing, Llc | Key recovery |
| US11074997B2 (en) * | 2018-01-23 | 2021-07-27 | Statum Systems Inc. | Multi-modal encrypted messaging system |
| KR102601973B1 (en) * | 2018-01-26 | 2023-11-13 | 디피니티 스티프텅 | System architecture and how it processes data |
| EP4287104A3 (en) * | 2018-01-29 | 2024-01-17 | Panasonic Intellectual Property Corporation of America | Control method, controller, data structure, and electric power transaction system |
| CN108270551B (en) * | 2018-02-02 | 2020-09-25 | 上海二秒科技有限公司 | Security service construction system on block chain |
| CN108320149A (en) * | 2018-02-02 | 2018-07-24 | 上海二秒科技有限公司 | A kind of fund transfer system based on block chain technology |
| CN108282340A (en) * | 2018-02-02 | 2018-07-13 | 上海二秒科技有限公司 | A kind of block chain signature machine activation system of formalization |
| CN110167082B (en) | 2018-02-14 | 2021-11-30 | 中兴通讯股份有限公司 | Network switching method, device and system, and switching determination method and device |
| WO2019161453A1 (en) * | 2018-02-22 | 2019-08-29 | ScalaMed Pty Ltd | A computer system and a computer implemented method for determining fulfilment of an obligation to a user |
| US10453061B2 (en) | 2018-03-01 | 2019-10-22 | Capital One Services, Llc | Network of trust |
| US11792181B2 (en) | 2018-03-27 | 2023-10-17 | Workday, Inc. | Digital credentials as guest check-in for physical building access |
| US11698979B2 (en) | 2018-03-27 | 2023-07-11 | Workday, Inc. | Digital credentials for access to sensitive data |
| US11716320B2 (en) * | 2018-03-27 | 2023-08-01 | Workday, Inc. | Digital credentials for primary factor authentication |
| US11683177B2 (en) | 2018-03-27 | 2023-06-20 | Workday, Inc. | Digital credentials for location aware check in |
| US11792180B2 (en) | 2018-03-27 | 2023-10-17 | Workday, Inc. | Digital credentials for visitor network access |
| US11531783B2 (en) | 2018-03-27 | 2022-12-20 | Workday, Inc. | Digital credentials for step-up authentication |
| US11627000B2 (en) | 2018-03-27 | 2023-04-11 | Workday, Inc. | Digital credentials for employee badging |
| US11770261B2 (en) * | 2018-03-27 | 2023-09-26 | Workday, Inc. | Digital credentials for user device authentication |
| US11012436B2 (en) | 2018-03-27 | 2021-05-18 | Workday, Inc. | Sharing credentials |
| US11522713B2 (en) * | 2018-03-27 | 2022-12-06 | Workday, Inc. | Digital credentials for secondary factor authentication |
| US11641278B2 (en) * | 2018-03-27 | 2023-05-02 | Workday, Inc. | Digital credential authentication |
| US11700117B2 (en) | 2018-03-27 | 2023-07-11 | Workday, Inc. | System for credential storage and verification |
| CN108650077B (en) * | 2018-05-17 | 2021-05-28 | 深圳前海微众银行股份有限公司 | Block chain based information transmission method, terminal, equipment and readable storage medium |
| CN108737419B (en) * | 2018-05-22 | 2020-05-22 | 北京航空航天大学 | Trusted identifier life cycle management device and method based on block chain |
| US11038676B2 (en) * | 2018-05-25 | 2021-06-15 | Incertrust Technologies Corporation | Cryptographic systems and methods using distributed ledgers |
| US11212102B2 (en) * | 2018-07-03 | 2021-12-28 | Royal Bank Of Canada | System and method for an electronic identity brokerage |
| US10855667B2 (en) | 2018-06-01 | 2020-12-01 | Paypal, Inc. | Using keys with targeted access to the blockchain to verify and authenticate identity |
| CN108847933B (en) * | 2018-06-26 | 2020-11-03 | 西安电子科技大学 | SM9 cryptographic algorithm-based identification issuing method |
| US11356262B2 (en) | 2018-07-03 | 2022-06-07 | Royal Bank Of Canada | System and method for anonymous location verification |
| CN109102288B (en) * | 2018-08-13 | 2021-03-23 | 浙江大学 | Block chain and big data based employment relationship evaluation and recommendation system |
| US11257078B2 (en) * | 2018-08-20 | 2022-02-22 | Mastercard International Incorporated | Method and system for utilizing blockchain and telecom network for two factor authentication and enhancing security |
| WO2020050390A1 (en) * | 2018-09-07 | 2020-03-12 | 日本電信電話株式会社 | Right holder terminal, user terminal, right holder program, user program, content utilization system, and content utilization method |
| KR20200034020A (en) | 2018-09-12 | 2020-03-31 | 삼성전자주식회사 | Electronic apparatus and control method thereof |
| JP2022002351A (en) * | 2018-09-20 | 2022-01-06 | ソニーグループ株式会社 | Information processing device, information processing method, and program |
| US11171783B2 (en) * | 2018-09-28 | 2021-11-09 | Infosys Limited | System and method for decentralized identity management, authentication and authorization of applications |
| US11263630B2 (en) | 2018-10-12 | 2022-03-01 | Blackberry Limited | Method and system for single purpose public keys for public ledgers |
| US10979227B2 (en) | 2018-10-17 | 2021-04-13 | Ping Identity Corporation | Blockchain ID connect |
| US11082221B2 (en) | 2018-10-17 | 2021-08-03 | Ping Identity Corporation | Methods and systems for creating and recovering accounts using dynamic passwords |
| EP3644549A1 (en) * | 2018-10-23 | 2020-04-29 | Siemens Aktiengesellschaft | Issuing device and method for issuing and requesting device and method for requesting a digital certificate |
| US10588175B1 (en) * | 2018-10-24 | 2020-03-10 | Capital One Services, Llc | Network of trust with blockchain |
| US11494757B2 (en) | 2018-10-24 | 2022-11-08 | Capital One Services, Llc | Remote commands using network of trust |
| US11842331B2 (en) | 2018-10-24 | 2023-12-12 | Capital One Services, Llc | Network of trust for bill splitting |
| CN109495490B (en) * | 2018-12-04 | 2021-04-09 | 中国电子科技集团公司第三十研究所 | Block chain-based unified identity authentication method |
| CN109754250B (en) * | 2018-12-27 | 2021-06-08 | 石更箭数据科技(上海)有限公司 | Data transaction method and system, platform and storage medium |
| TWI704793B (en) | 2019-02-27 | 2020-09-11 | 財團法人工業技術研究院 | Object sharing system and object sharing method |
| CN109948371B (en) * | 2019-03-07 | 2021-06-25 | 深圳市智税链科技有限公司 | Method for issuing identity certificate for block chain node and related device |
| US20200311666A1 (en) | 2019-03-28 | 2020-10-01 | Ebay Inc. | Encoding sensor data and responses in a distributed ledger |
| US11487886B2 (en) * | 2019-05-03 | 2022-11-01 | International Business Machines Corporation | Database private document sharing |
| CN110263553B (en) * | 2019-05-13 | 2021-07-13 | 清华大学 | Database access control method and device based on public key verification and electronic equipment |
| US11838425B2 (en) | 2019-05-20 | 2023-12-05 | Jpmorgan Chase Bank, N.A. | Systems and methods for maintaining decentralized digital identities |
| JP7381614B2 (en) * | 2019-06-10 | 2023-11-15 | パスチーニ,マイルズ | Identity and risk scoring of government bond-backed token assets and related token transactions |
| EP3688633A4 (en) | 2019-07-02 | 2020-10-07 | Alibaba Group Holding Limited | System and method for verifying verifiable claims |
| CN111213147B (en) | 2019-07-02 | 2023-10-13 | 创新先进技术有限公司 | Systems and methods for blockchain-based cross-entity authentication |
| WO2019179534A2 (en) * | 2019-07-02 | 2019-09-26 | Alibaba Group Holding Limited | System and method for creating decentralized identifiers |
| CN111095865B (en) | 2019-07-02 | 2023-08-04 | 创新先进技术有限公司 | System and method for issuing verifiable claims |
| CN111164594B (en) | 2019-07-02 | 2023-08-25 | 创新先进技术有限公司 | System and method for mapping a de-centralized identity to a real entity |
| CN111316303B (en) | 2019-07-02 | 2023-11-10 | 创新先进技术有限公司 | Systems and methods for blockchain-based cross-entity authentication |
| CN110474775B (en) * | 2019-07-04 | 2020-09-01 | 阿里巴巴集团控股有限公司 | User creating method, device and equipment in block chain type account book |
| US10791122B2 (en) | 2019-07-04 | 2020-09-29 | Alibaba Group Holding Limited | Blockchain user account data |
| CN110336832B (en) * | 2019-07-24 | 2023-11-03 | 深圳传音控股股份有限公司 | Information encryption and decryption methods, devices and terminals |
| CN110505067B (en) * | 2019-09-11 | 2021-01-05 | 北京邮电大学 | Block chain processing method, device, equipment and readable storage medium |
| CN110519062B (en) * | 2019-09-19 | 2021-10-29 | 腾讯科技(深圳)有限公司 | Identity authentication method, authentication system and storage medium based on block chain |
| KR20210041404A (en) * | 2019-10-07 | 2021-04-15 | 삼성전자주식회사 | Electronic device and method for blockchain address management thereof |
| US11704636B2 (en) * | 2019-10-31 | 2023-07-18 | Adi Association | Proxied cross-ledger authentication |
| CN111181945B (en) * | 2019-12-24 | 2022-03-04 | 达闼机器人有限公司 | Digital identity management method and device, storage medium and electronic equipment |
| CN111277577B (en) * | 2020-01-14 | 2022-06-07 | 北京百度网讯科技有限公司 | Digital identity verification method, device, equipment and storage medium |
| CN114143041A (en) * | 2020-03-03 | 2022-03-04 | 支付宝实验室(新加坡)有限公司 | Identity verification method, device and equipment based on block chain and storage medium |
| CN113572717B (en) * | 2020-04-29 | 2024-02-20 | 青岛海尔洗涤电器有限公司 | Communication connection establishment method, washing and protecting equipment and server |
| DE102020205993B3 (en) * | 2020-05-13 | 2021-09-16 | Volkswagen Aktiengesellschaft | Concept for the exchange of cryptographic key information |
| CN111628871B (en) * | 2020-05-28 | 2021-09-03 | 广东工业大学 | Block chain transaction processing method and device, electronic equipment and storage medium |
| WO2022006736A1 (en) * | 2020-07-07 | 2022-01-13 | Nokia Shanghai Bell Co., Ltd. | Methods and apparatuses for device provisioning |
| CN112187466B (en) * | 2020-09-01 | 2023-05-12 | 深信服科技股份有限公司 | Identity management method, device, equipment and storage medium |
| CH717898A1 (en) * | 2020-09-24 | 2022-03-31 | Fqx Ag | Server for processing financial transactions. |
| CN112600672B (en) * | 2020-11-30 | 2022-02-25 | 清华大学 | Inter-domain credibility consensus method and device based on real identity |
| CN112636922B (en) * | 2020-12-21 | 2022-05-03 | 电子科技大学 | IOT identity authentication method based on non-interactive zero-knowledge proof |
| CN112733121B (en) * | 2021-01-13 | 2024-09-20 | 京东科技信息技术有限公司 | Data acquisition method, device, equipment and storage medium |
| CN113162915B (en) * | 2021-03-16 | 2023-01-20 | 中国工商银行股份有限公司 | Block chain based transaction method, node, electronic device, medium and system |
| US11170130B1 (en) | 2021-04-08 | 2021-11-09 | Aster Key, LLC | Apparatus, systems and methods for storing user profile data on a distributed database for anonymous verification |
| WO2023034527A1 (en) * | 2021-09-03 | 2023-03-09 | Numéraire Financial, Inc. | Generating and managing encrypted non-fungible tokenized assets |
| WO2023133521A1 (en) * | 2022-01-07 | 2023-07-13 | GCOM Software LLC | Method and system for digital identity and transaction verification |
| CN114598533B (en) * | 2022-03-10 | 2024-04-26 | 昆明理工大学 | Block chain side chain cross-chain identity trusted authentication and data encryption transmission method |
| CN114520720B (en) * | 2022-03-22 | 2023-06-16 | 暨南大学 | Multiparty authentication blockchain data uplink method based on TLS protocol |
| US12013924B1 (en) | 2022-12-07 | 2024-06-18 | Credence ID, LLC | Non-repudiable proof of digital identity verification |
| CN116094797B (en) * | 2023-01-05 | 2024-04-05 | 西安电子科技大学 | Distributed identity trust management method based on secure multiparty computation |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030156740A1 (en) * | 2001-10-31 | 2003-08-21 | Cross Match Technologies, Inc. | Personal identification device using bi-directional authorization for access control |
| CN100383694C (en) | 2003-10-17 | 2008-04-23 | 国际商业机器公司 | Maintaining privacy for transactions performable by a user device having a security module |
| US8023646B2 (en) | 2006-11-08 | 2011-09-20 | Voltage Security, Inc. | Identity-based-encryption extensions formed using multiple instances of an identity based encryption scheme |
| US9858569B2 (en) * | 2014-03-21 | 2018-01-02 | Ramanan Navaratnam | Systems and methods in support of authentication of an item |
| US9818092B2 (en) * | 2014-06-04 | 2017-11-14 | Antti Pennanen | System and method for executing financial transactions |
| CN104320262B (en) * | 2014-11-05 | 2017-07-21 | 中国科学院合肥物质科学研究院 | The method and system of client public key address binding, retrieval and the verification of account book technology are disclosed based on encryption digital cash |
| US9197638B1 (en) * | 2015-03-09 | 2015-11-24 | Michigan Health Information Network—MIHIN | Method and apparatus for remote identity proofing service issuing trusted identities |
| JP6636058B2 (en) | 2015-07-02 | 2020-01-29 | ナスダック, インコーポレイテッドNasdaq, Inc. | Source guarantee system and method in a distributed transaction database |
-
2015
- 2015-12-22 US US14/978,568 patent/US10079682B2/en active Active
-
2016
- 2016-12-20 SG SG11201804361YA patent/SG11201804361YA/en unknown
- 2016-12-20 WO PCT/EP2016/081911 patent/WO2017108783A1/en active Application Filing
- 2016-12-20 EP EP16815856.6A patent/EP3395006B1/en active Active
- 2016-12-20 JP JP2018551509A patent/JP2019506103A/en active Pending
- 2016-12-20 ES ES16815856T patent/ES2881289T3/en active Active
-
2018
- 2018-08-22 US US16/108,578 patent/US10673632B2/en active Active
- 2018-11-07 HK HK18114227.6A patent/HK1255142A1/en unknown
-
2020
- 2020-05-26 JP JP2020091212A patent/JP2020145733A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| JP2019506103A (en) | 2019-02-28 |
| EP3395006A1 (en) | 2018-10-31 |
| US20170180128A1 (en) | 2017-06-22 |
| US10673632B2 (en) | 2020-06-02 |
| SG11201804361YA (en) | 2018-07-30 |
| US20180359092A1 (en) | 2018-12-13 |
| US10079682B2 (en) | 2018-09-18 |
| JP2020145733A (en) | 2020-09-10 |
| EP3395006B1 (en) | 2021-05-05 |
| HK1255142A1 (en) | 2019-08-09 |
| WO2017108783A1 (en) | 2017-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| ES2881289T3 (en) | Method to manage a trusted identity | |
| US11900368B2 (en) | Method and system for zero-knowledge and identity based key management for decentralized applications | |
| JP6528008B2 (en) | Personal Device Security Using Elliptic Curve Cryptography for Secret Sharing | |
| TWI709314B (en) | Data processing method and device | |
| CN101529797B (en) | System, device, and method for authenticating communication partner by means of electronic certificate including personal information | |
| KR101389100B1 (en) | A method and apparatus to provide authentication and privacy with low complexity devices | |
| WO2021174927A1 (en) | Blockchain-based identity verification method and apparatus, device, and storage medium | |
| AU2008261152A1 (en) | Privacy-Protected Biometric Tokens | |
| JP2004023796A (en) | Selectively disclosable digital certificate | |
| JP2010148098A (en) | Method and system for transient key digital stamp | |
| WO2020143318A1 (en) | Data verification method and terminal device | |
| Win et al. | Privacy enabled digital rights management without trusted third party assumption | |
| CN114785511A (en) | Certificate generation method and device, electronic device and storage medium | |
| Conley | Encryption, hashing, ppk, and blockchain: A simple introduction | |
| CN114389810B (en) | Method and device for generating certification, electronic equipment and storage medium | |
| JPH10135943A (en) | Portable information storage medium, verification method and verification system | |
| US7739500B2 (en) | Method and system for consistent recognition of ongoing digital relationships | |
| US10764260B2 (en) | Distributed processing of a product on the basis of centrally encrypted stored data | |
| US20150236858A1 (en) | Method for Creating a Derived Entity of an Original Data Carrier | |
| Patel et al. | The study of digital signature authentication process | |
| WO2021019783A1 (en) | Proprietor identity confirmation system, terminal, and proprietor identity confirmation method | |
| Manz | Digital Signature | |
| Ravindran et al. | A review paper on regulating bitcoin currencies | |
| More et al. | Decentralized Fingerprinting for Secure Peer-To-Peer Data Exchange of Aadhaar Via Public Key Infrastructure | |
| JP2007006319A (en) | Key exchange system, terminal, and program |